War-Dining and Stroll-Trolling with a Robot

all right I'm going to introduce the next uh the next talk and the last Talk of the day uh after this we will be giving out the uh prizes from the lockpick uh Village so if you haven't done the little contest that Chris is running in there um there'll be another uh another hour to do that um but he'll be giving out uh prizes for first second and third place in that at the end of this talk so uh without further Ado uh this is John Moore his talk is war dining and stroll trolling with a robot uh for almost a decade JN has dedicated his time and attention towards providing a comprehensive Hands-On information technology and security

education to aspiring Professionals in the Detroit area he has taught over 200 sections spanning multiple platforms including Windows Linux and the Cisco iOS he has prevent presented many security related courses running the gamut from hack attacks to computer forensics as a result as of recent he is researching how to extend the capabilities of smartphones and the security impli implic implications of such extended capabilities uh this is John Moore you guys hear me okay all right um kind of the the birth of this talk we have a little more time in this so kind of got to break it down um are you guys all in the Michigan area most of you guys okay if you are you're you're

familiar with the place called Franken moon right yeah I was I was heading up North one time and I had my phone tethered and I had my computer Tethered to my phone okay and I had so I had to root my phone to get this capability and while I was sitting there waiting for my wife and my kids to come out from the using the restroom at Franken on our way up north um all these phones kept trying to join my wireless hotspot my phone was attempting they were just wed right on in fact there was a lot of blackberries they just said hey there's open connection jump on okay and I go wow this could be a security issue we could

have a problem here people shouldn't just be jumping on untrusted a Wi-Fi we know this right but we never really had it in terms of being such a small compact structure so I started doing some research and I discovered I was like someone's got to research this out there and I discovered there was no research on this okay and I realized that my sister my mother they have smartphones and they don't really know how to use them and there's all these implications of having this device in their hand and they don't know exactly how to manage it so I when I started looking up the information I realized that no one really did anything on this

yet so what I what I did is I effectively kind of trying to fill that Niche okay so this talk is about understanding um first uh there there's the concept of rooting your device you guys are familiar with this sound familiar okay um with this people always say well just don't root your device it's bad okay but there's a reason we root it to start with what do we gain by rooting it access we gain access we gain capabilities okay so it's not necessarily bad but it's got to be you know what did we learn from Uncle Ben with great power comes great responsibility right so we have to look at this from that aspect and that's kind

of the impetus the drive behind this talk and I want to have you raise your hand because you all follow this category but if you have a smartphone or if you know someone has a smartphone this talks for you okay so this affects everybody in this room all right so let's first do all the disclaimers when I did this research I did it all off of my own devices I did this in my home I did it with with my own computers my own network device is do realize that if you you guys may or may not know if you start without permission sniffing external networks that's illegal you can't do it okay so but does that does does legality stop

the bad guy no and so this so the whole purpose is to make sure you guys understand how to do this stuff how the bad guys is going to do this stuff what are the implications of the bad guys doing this stuff and then we'll go from there okay now the good news is you know um I there's a takeaway so I'm going to show you guys how to do this I'm gonna scare you and then I'll show you how to fix it okay that's the whole point why was why scary if I can't tell you how to make make good with it okay so that's pretty much here is just disclaimer saying be a good guy don't be a bad guy

you guys are going to learn this today you're gonna be able to walk around it's excessively easy to do okay um but realize that there's legality issues and other issues but again to do the research when it's your own network I hope I don't Sue myself the only one's going to win there is a lawyer okay all right um so let's talk about some of the misconceptions we've had thist history moving up to now that phones are phones right they're this thing that F used to be on the wall and now it's in our pocket and and that's what we see them as okay but when smartphones came out that actually changed now if you guys

watch the Android Pro program go um or the when they put it all together before they had Ice Cream Sandwich and all the good ones um it was effectively a a a computer it was a Linux kernel that they added phone capability so your smartphone isn't really a phone at all it's a computer with phone capabilities can you guys accept that okay it handles packets just like computers in fact if you do things like rooting it you can put operating systems on there we'll talk about that too and with that you get all those capabilities come with that but this is a computer with phone capabilities and most people think is it's a phone with apps that's

different because phone with apps necessarily doesn't mean it has packets and things like that but when we start turning on our internet on phones it's acting just like any other wireless computer would okay so when we classify smartphones we shouldn't classify them as phones we should classify them as what many computers that we happen to keep in our pocket okay so good right with phone capabilities so this is first the first thing I want to bring to light is let's make sure we understand that the next is I wanted to do these these exploits with no money or little money I don't know about you guys but you know I want it to be cheap if I'm going to do

it I'm not going to spend 100 bucks to hack it I'm going to try to do it for $ Z and z c and if I can't do it for $ Z and0 cents I'm going to try to do it for $10 right and then 20 move up the line all right everything I'm going to show you guys today except for the remediation some of the remediations was free okay so wow all right now we can't it doesn't cost anything to do um all you need is a smartphone which you can get from any provider out there all right that can be rooted and we're moving from there all right and so um all these tools we'll be getting are

either from the Internet or now it's called Google Play used to be Google market right I'm working on Android this can be done with the iPhone 2 and I will reference it what tools will work for the iPhone but if you guys have a iPhone or Android this is all possible all right and like I said I did some research even though some of the things I'm going to talk about are not new at all okay you guys probably have heard of things like War driving we're going to talk about that these are old Concepts but this is a new implementation and no one's touching it no one's talking about it and again it affects everybody in

this room so with that I had to create a a language that worked around these these Concepts that are well brand new okay now War walking is not new but it's got a new face War dining is and we'll talk about where this comes in the picture Wi-Fi faking notice the what PH you guys heard of fishing right there's a social engineer component to this and once you Wi-Fi fake you can start what stroll trolling yeah don't say that five times fast you get Tongue Tied all right but you'll understand what this is and it comes from understanding how Wi-Fi faking works and this is a social engineering technique that makes this possible okay so and then at the end end after I

explained all this stuff I'm going to show you guys how to fix it okay and we fix it just like we do laptops but again we have this misconception that phones are phones with apps versus what computers with all right awesome okay so what do we got let's start with a phone you go to your provider you get a phone you go all right I got a phone I would really like to not have to pay to tether it I would really like to run wire shark from it you guys know what wire shark is okay it's used to capture what packets good all right but you can't do this with an unrooted device and if you go

into Google Play there'll be a whole category of apps that say your phone must be what to run these all right now we got a new issue okay so if you want to root it I I have an HTC phone that I used for this um there's other programs for other different types okay so all you have to do is literally go to YouTube type your phone with root there's probably a tutorial and all the links to the files to it most rooting takes less than 10 minutes in fact why I did mine I did off of the thank you thank you very much uh I did off the the 2.2 so I used unrevoked it literally

took 10 minutes or less to do it okay now understand what this is doing you are effectively rooting your device which you're accomplishing by exploiting a vulnerability and dropping a payload that has the capability to allow you to escalate your privileges to root when you want okay so if any of you guys went to the metlo lab or the Armitage this is no different someone found a found a hack for either the iPhone or for the Android and once they do that instead of giving the bad guys control they give you the ability to become admin but if it wasn't for that you're locked out of admin you're just a regular user you guys good with this okay so this is what

we're gaining with rooting all right now let's talk about the pros and cons of rooting you just got a brand new phone that cost 600 bucks but since you got your two-year plan you walked that door for free and you walk home and you go I really want it rooted and you go to root it and um yeah it bricked uh oh what do you got to do now yeah you're going to have to go give some crazy story try to get replacement if you don't have the insurance you're going to pay big on it all right so doing this can be bad don't I'm not telling you run out and root your phone but if you root it you gain

capabilities well what do you gain well we can actually depending on the right tools we can set up a new ROM in there and make this a pinest tool we could actually have Armitage or backtracks running right from our phone and grabbing packets off the network okay you guys follow so far we can't do that what not rooted Wi-Fi tethering now you can do that through your service provider but it usually has a cost Associated once you root it it becomes free okay enhanced file management you only can get into regular files usually but now that you're rooted you can be what you can be admin which means you can get into all the files so enhance

file management all right and this is actually good for the some admin will argue for be your bod bring your own device that it's okay to root it because at least you can see everything if the bad guys getting rooted they're going to leave it in places that you can't touch as a regular user you guys cool with that now again I'm not advocating that here and I'm going to Advocate something else later keeping it Factory but this is one one type of thought out there about how to handle these devices and another one that's very nice is believe it or not you can't get a simple screen capture for these things unless it's rooted it needs admin privileges to get

there so there's other things besides here besides these um what I really like is this one and this one has implications to stuff that you know may turn into talks later so for instance I don't know if you guys know or not these devices don't usually come encrypted and I don't know if you know in Michigan you can get pulled over for texting and they'll throw your machine on this device and they just take everything okay and they'll be able to tell you can't just go in and say I deleted that file in the background through the forensics investigation it will show that you texted there okay now there's ROMs out there that are being developed

that have full dis encryption guess what goes by by then but you're not going to be able to put that in if you didn't do what to your phone first okay so moving forward we may see things like this fall out of these type of ROM projects in fact I don't quote me on this but I believe I don't didn't do heavy research in it but I believe that the Department of Defense is working on an Android type konel for this exact purpose because they don't want their stuff to get out there right okay now moving forward companies may start doing this full disc encryption we may not we're not there yet all right but right now your

system's open so I mean look at all this stuff we gained by doing it that's great but also you might avoid your warranty you're not going to update your phone which means that later vulnerabilities are going to become more prevalent okay so do understand that there's a trade-off between rooting and not rooting you guys good with that okay all right so once you root it you'll get used to seeing this what is this the picture of yeah once you want to request anything that has admin rights it's going to pop up in your head and say or pop up on your phone and go hey we would like to be admin would you let us be

admin this once and if your phone's rooted you can say yes and it says okay you're admin that's where that extra capability comes from okay now to do this hack based on this we got the device rooted what are we gonna do now okay we need a couple things let's a packet sniffer a common one we said for computers is what wire shark great program use it all the time okay Wi-Fi hotspot again the mobile tethering right okay and again we can we can do this without we can pay the money and do it too and an aggregation tool now here's the deal you guys said you use wire shark how many people said they they

used wire shark here okay now once you get that pcap file which is everything you gathered right how do you analyze it then there's thousands and thousands maybe millions of packets you just start going one through one and going oh that's exactly what I'm looking for it's brutal okay so you need a tool that can aggregate that data put it in a way that's really easy to read and we'll go from there we're going to use uh a tool called netwitness for that we're g talk about that awesome tool it will do some really amazing things you guys will see this stuff becomes trivial after we use these tools okay so some smartphone facts I was reading a Time magazine in

February said that almost half the population own smartphones okay well this is a computer in their pocket this is a viable uh platform for exploitation okay and what if you take this this device that's been been rooted and maybe been hacked and you put it on a network what could it do it can it can infect that Network could become a pivot point for it right so we got we got some big problems that could arise from here all right but again half the population almost has these devices modern data plants have data limits and they just announc that they're not going to be giving out at least ATT I don't know about Sprint but

I mean ATT um Verizon will not be giving out unlimited data plans as a as a legacy if you already have it if you want the free phone you can keep the plan but you got paid the six 700 bucks for the new phone okay if you want to reup your data plan your your plan to get the $100 phone you're going to take a a package like four Meg or four gigs okay and I don't know if you guys I download a ton of podcasts Security based mostly okay and they take up huge amounts now how do we get around this from stealing our data from from using all that data plan what can we do to

make that work a little better for us we join it to a Wi-Fi they have created a context that's making it so we're going to get hacked okay but they haven't realized that yet because maybe they don't know about this all right so networks are highly available in the public this actually had a huge effect on my talk over here okay we'll talk about this later I'll see if you guys can figure out what happened um the last time I gave this talk was in bide Chicago and all this stuff worked like a champ okay I I was we had a ton of people join and we'll talk about that moving forward smartphones are I send

packets like computer we already discussed that okay so let's get going let's get this this environment up and running you go to Google Play and if it didn't say installed already it would say root shark for root which is wire shark for your device which you couldn't install unless it was rooted cost how much was free again I already had it installed so it didn't show you it was free but right now I paid $ z0 C now I have a rooted device that can capture packets does this sound like a powerful device already okay let's see what else we got okay so let's talk about a little bit again we can get it for Marketplace

which is now called Google play in the last couple months um it's used to passively sniff packets do we understand the difference between actively and passively what does that mean passively sniffing packets not injecting any any traffic under thework operating and what does that mean to the network I'm monitoring it doesn't usually see me there depending on what I do I'm going to show you some tricks that might get me noticed might not but nonetheless I'm not going to be seen I am just looking from a tower view down on traffic and I don't know maybe I'm looking for a white Bronco if any you're old enough you know what I'm talking about all right there we go um gives

Network Security Professionals the ability to analyze data to and from the target device now this is good for you admin out there because let's say you do have iPhones or or Android devices in your work environment by running this on there you can see what data is escaping okay so this isn't a bad thing that right now we haven't really you know there's a lot of wonderful tools and as you guys know in security these tools are like wrenches you know you can use it to fix your car pop someone over the head with it it's the intent of the tool okay um give criminals the ability to gather and exploit sensitive data that's the purpose of this talk okay we use it

for good stuff but the bad guys can use it too and I don't know about you but I don't want my grandma getting hacked by these guys so I want to make sure they understand what can go wrong and how to fix it all right now if you're using an iPhone they don't have root for shark but you can download a uu kernel that will be running pernie okay and that is a actual a packet capture program that will do the exact same thing for your iPhone as it will be for your wire Shar or shark for root on Android so either one you got you can still do this now um I don't know I didn't probably didn't

say it earlier when I was talking about the iPhone the iPhone is even easier to root than the um than the uh Android device because a lot of you go to to jailbreakme.com or or I think it's JailbreakMe and you literally just sometimes we'll hit a slider and that slider has the injection in there to make it happen then you're rooted woohoo that's fast and simple okay so once you rooted on that device you can throw perne in all right so there's your iPhone there's your Android all right so what does that leave us with okay well we realize that wireless points now are bad and we have a sea of sharks with them okay so bad stuff all

right so here we go three steps to hacking you really quick really easy turn on your Wi-Fi signal so you guys know there's a bar here okay even the the least capable it person can go click and make that thing go green so far so good right okay then I go in here and if any of you guys have used mobile you know all these steps you're going in you're picking your wireless you go in right here I'm picking kachulu to get into and now I'm in and there's some others there but I'm picking that one and I'm looking for open wi-fi why am I choosing open and this will work for for also for um you know WPA or weap or

whatever they got on it will work to as long as you're on the network okay but this one's an open network I I connect on okay so two steps I've joined the public network all right and I allow it right because this is my this is my super user this is that exploit through route that kicks it in okay and effectively I'm up and running now now I I start shark for or root for shark shark for whichever one it is and it will start recording packets just like would be if you had a phone conversation and you hit record on a tape recorder every packet that's coming through that point you're going to see okay now what

happens is like you know a Coney Island wants to up business so they go and buy an off-the-shelf dlink router they put it up they make it open and they say go what's the problem with that configuration everybody sees what everybody else we got an issue because everybody SE every day traffic so as soon as we do this it's going to start capturing not only my traffic but what everybody else is okay now this can be good and bad depends on where you're SI what's you're surfing what you're doing we're going to talk about it here in a second okay so you get the concept now there are ways to lock it down and I'm

going to show you guys how we can get around that even okay um okay so let's talk about where walking is now we have this device we just walk up we could be we could uh um we could be in like at a park and it's going and let let's talk about this now historically there was War walking but War walking you walked around looking like a an armadillo or like uh you know something you you had a backpack on you had 20 antennas coming off your back and you look suspicious you're walking down the street with this backpack and all these things popping off and you're like that's suspicious that person may be War walking you get

that right but watch this one two three all right I'm War walking you see the antennas on my back I might grow some later but they're not there now okay all right sitting in sitting in a parked car this is called War driving now I don't know about you but if I came outside my house for two days and some guy's parked right in front of my driveway he's got a computer and he's staring at it I'm going to call that suspicious again in my pocket not suspicious you have a unmanned aircraft circling your house This Is War flying you guys heard about this one right okay and actually there's some law enforcement agencies that are getting

these drones okay so this is a reality um if you have a hot air balloon over your house that is war ballooning okay you will see that you will notice a balloon above your house I promise okay and so effectively this is a new face because War walking is no longer as easily detectable because we're doing it with a wireless device or with a smartphone okay and again because it's passive sniffing we're not going to shoot off any ids's no problem everybody's gonna say hey this is good and you don't know who's doing this it's just said whoever's got that phone in their pocket could be the one that's Gathering the packets from this network

okay so let's give it a definition for you War walking the act of lingering or loitering in a geographical area for the purpose of gathering packets without prior authorization very important over a public wireless network using a smartphone or tablet tablets work too guys you can root those and do those also so as long as they have Wi-Fi capability you can do this okay and laptops work too but again laptops are much higher visibility so any you guys watch hack five and stuff he'll be sitting with a directional antenna in a bar you go okay I know what the guy's doing okay so at best you get the jerk status at worst you have the police

asking why do you do it okay but again under this situation it's in your pocket no one knows the better all these packets are being captured right from there okay so some scenarios that would work you go to the park say someone say say you know the bad guy's got a couple kids playing with this kid in the park or his dog there's an open wi-fi down the street he connects to it starts St this packet stays there for an hour playing frisbee having a great time then goes home and analyzes the packets okay so this problem hang out in the mall you ever see those Walkers there's always those walkers in the mall they may be

War walking you reading exactly reading out of park bench right someone's just sitting there and notice that this is you have to kind of stay in the same area because you have to stay connected to that point you guys with me on that so that's where the loitering concept comes in they have a lot of Wi-Fi in movie theaters now maybe we can call it War watching I don't know it's up to you you guys if you like the name stay with them okay all right eating a meal now this is a big one because again many many restaurants have this and you need this time and if you're eating you know an omelet or a

nice steak and they got an open wi-fi that whole time no one's even suspecting what you're doing but you be shocked when people are waiting for f food what are they doing most of the time let me check my Facebook let me check my Twitter and on and on and on right okay so there's a lot of data that can be garnished just by eating a meal and doing this so War dining is definitely a threat now as well as War walking okay so let's talk about that is again uh by definition an auth an unauthorized Act of gathering packets over a public wireless network with the smartphone or tablet while congregating in a Wi-Fi

enabled establishment with the intent of eating or drinking and this one this one's a little shaky because the nextra neighbor could be the one that has the Open Wi-Fi right so as long as you can connect to it good to go but you have access to it good enough okay now let's say that they did a good job they they you know you go to your you go to your local Resort and they they actually lock down the wireless and by locking down it means that once you talk to the wireless point it turns off the ability for anybody else to see it pass excuse me pass the sniffing will go away you guys follow me on that because I'm sniffing

but the only thing I will see is my network traffic leaving there you guys good with that okay they have a program that used to be on the Android market um called arpspoof they pulled it just recently I think about two months ago they pulled it I still find it on the internet cost how much Zer Z cents okay so again we're still at free now what this does is it creates a band in the middle session how does it do it look at the name ARP spoof it does what spoof ARP do you guys know what ARP stands for by the way address resolution protocol right okay and what this is going to do

is Trick these machines to think that it's talking to the base but it's really talking to who you and then it's taking it from you and transferring it to that point and from the point everything's happy it says all's good we have all these different IPS from all these different people talking directly to us but they're not they're being intercepted first by the the middle point which is your Android device or your or your iPhone you guys follow me on that and if you got wire shark running what are you doing again you're Gathering all those packets again we're back where we started so configuration's not going to help us what do we do all right so we'll talk

about that moving forward we can fix it this is also a fun one um something you can mess around with and I like doing this with my wife and kids I'll have the network up and running I'll be going oh what page you're on they go I don't know and I'll just pull a peak and what Peak does was it will pull it'll seize that data I'm not recording all of it it's looking just for the images and it will start displaying the images on my phone now this is actually in the Google Play Market for a buck 99 you can download it but it's a great true tool to let you know if your Arps poof worked because if

ARS poof Works what are you going to start seeing pictures okay stuff like that all right so I'll be like yeah you know W you're at you know scoobydoo docomo if that's even site don't go there if you've never been there it's probably not Scooby-Doo um but yeah so you guys get the concept right you guys follow me so far everybody there okay all right so again this would allow images to be displayed easy way to confirm that there are spoofs working okay so you've you've gathered the data you can show that you that the data can be or again the bad guys doing this right they're on networks they don't have authorized access to and they're Gathering the data

now let's talk about what the problem is why is it bad to gather data what's the bad data out there there's actually dat data doesn't have to be bad but there is bad data what type of data is bad data is in what form clear text this is bad for us because it's a clear text it means we can reconstruct it in its beauty as a whole right and if it happens to be an HTTP based user name and password for your email guess what I just got or the bad guy just got your username and password and a lot of you guys know that that email accounts are a lot like our wallets these days we have resets in

there for our banks this is where our bank goes to reset passwords this is where a lot of our accounts go and we just the bank gu can go in there and search for password and he's going to see all the accounts you've set in the p in the past and know what you can reset you follow me on this so this is bad stuff all right um so then the question becomes well first they need to analyze it and then we got to figure out a way to stop it so let's talk about how analyzation can work you gather you know let's say the the bad guy gathers a gig of data from some point they're at a you

know sporting event and they played it for four hours and everybody's joined everybody's using it okay that's a ton of data so it's hard to find that password in clear text okay now if any of you guys are network admin this is an awesome tool and I suggest looking into it to run on top of wire shark um it will allow you to aggregate all your data in your system based on all these things that we talked about so once you get this inst installed it's pretty simple like I I just went to the website and for the home version it's free so you know if you want to test your own network on this and again I'll show you

some things I gained from my own network from testing it and again we're going to do this from a network standpoint but the bad guy can do it too right so it's good for us it's good for the bad guy and we we can thwart the bad guy by doing some simple techniques and we'll talk about them a little bit so here we go I go through net witness I add the bad guy give him a password he's got he's got a fully licensed version of of that witness ready to go all good again how much did I pay wow I'm still up to Z I got all these wonderful tools okay what else so here's a demo collection

we're just going to leave that but here's how you bring one uh uh collection n and these slides will be accessible so if You' never use netwitness this I I did this on purpose so you guys could see how to add a collection you create a new local collection just right click and it'll let you pick it okay I named this one more walking and dining you can name whatever you want so for instance if you're doing like a pinest for company X you could write what here company X right maybe put a date like you know if you're doing multiple pin test let you know what you're up against okay so there we got the name and then we hit

okay now once I get it it's not ready yet I have to right click and hit what connect now I have a a repository a container for the data I want to import okay F so far all right now I'm going to import the packets now when I did the wire shark it created a file that had what extension on it pcap good okay so I'm going in now this is exactly right for my phone these are multiple Dums okay right from my from my network um and again you can see they just organize them I usually just do based on time if I want it right um and then after I'll do if I'm you know if this was a

professional pen test I would obviously label this put in folders go from there um so I'm just going to bring in here now if I want to bring in all of them I just select all of them so a lot of times if I and I'll do multiples because if this thing airs out before I close the the file guess what happens to that entire session it goes byebye so every once in a while every 10 15 minutes I might close it reopen it okay am I going to miss packets that way yeah but there's still probably be some juicy stuff there okay so I get them in it's going to import you see it just

goes Z to 100 boom imported good to go okay now when we open it up we get this aggregated view this is really powerful and this is great for you admin out there because what you'll see is it will give you all your alerts up here okay so up here it tells me there's a sample vulnerability non-standard HTTP that means that something might have been spooked you guys go with that okay or there could be maybe some type of SQL injection BHP issue okay but it's something I want look into there's one of them there oh look at this one sample vulnerability clear text password oh we're going to have fun with that one okay and then there's some other

malicious possible IRC information going on so this system could be compromised you guys know that IRC is the back door channel for a lot of command and control devices right you guys familiar with that okay um and down here look at this user accounts I might have two gigs but it tells me right here I have an essay essay is usually used for what type of devices what usually uses essay as a name for an ad yeah databases right databases will use that so uh oh we might have someone's database login credentials and that can get really ugly let's say it's a bank what do they keep in their databases how much money you have bad guy can get rich

in three seconds five million bucks go okay another one Joan sample and Bobby we had them in and look at this it even has some emails for these people and again we saw that emails can be dangerous too right so I I click on one of these what I do here is I'm going to go in here and I'm just going to right click on this login um and say to say um drill down when I drill down it's going to give me this View and look at this this is that packet here's the username here's their password here's their email this is big this this is big right this is this is really bad and if this was

let's say actor directory credentials what could they do yeah they can do a lot right especially if this has a and and just because they're a regular user isn't always mean that they can't do much what can happen on the exploitation side if someone logs in with a regular user what can they do to get up to admin what's it called an escalation hack right this is a priv this is a privileged hack you he bake the user through uh once you're logged in you put in a exploit that then gives them admin credentials okay all right now you say okay well yeah the passwords aren't that big to me now if you using n witness uh what is it which

one was it uh 9.5 or higher you will get this new button and this thing will allow you to then mold whatever you want out of here so not only do I get do I get your password I get any conversations let's say this is a a call center they will do computer calls in wave formats I don't know if you guys know this okay so I will get all the calls let's say it's Healthcare am I hip a compliant if they're getting the phone calls no uh video documents web images archives executable bit torrant okay you can even find out if the people on the in the network are doing bit torren and if it's

not on this list what do you do you can make your own so you have total control under this this a very powerful tool okay and again this was that hard all we had to do is push some buttons and it told me exactly what the username and password was okay which I see here now some lessons learned let me explain what I what I've learned from using this now where I felt this was really important was is I was at home I was sniffing my traffic and I realized that I had about five times a minute my active directory credentials popping out on the web just going here here I am and they were in clear text okay and then

right then I changed my diaper okay and I said wow I'm glad I caught this because anytime I join a public Wi-Fi guess what's gonna happen yeah now what I come to what I come to discover was that the exchange server was misconfigured it was allowing guest a guest access through HTTP which is what and what did I need to make the change to https once that change occurred it all became cryptic again because they added what to it once they put that s on encryption right we added encryption to the to the mix and then so I found it before the bad guys did if someone was sniffing me whether it was their computer laptop or phone they would have

got these credentials and that could have been a back door into the system that was actor directory based okay so uh this really is good to be a proactive way to see if you have credentials leaking so I suggest definitely on all your devices take this information check your own device see what it's leaking if you have any and this all came from I had an app an email app that's syn with my Exchange Server that's what caused this it had a configuration that I was misconfigured and I had to say use SSL versus use whatever it was and it kicked in but again I would never have known that if I would not have done a wire

shark slash netwitness against my own machine okay um some other interesting things now have you guys heard of a program called creepy yeah what's creepy do yeah it's creepy because what it does is that wherever you go if you log into an IP point it will see that IP point they might say you are here so like you could call someone of your friends if you had creeper run out and be like I see you're at the sporting event and you'll really freak him out because it's IP but when some of these apps phone home it's trivial for people that know the code that can get in to adjust the code if these things are dialing out all

the time so what I noticed was Angry Birds was jumping to some site for updates so every time I knocked on the door now let's say this was unique to me I could make this a signature for creepy and what could happen you could check you could track my whereabouts every time this thing phone home you guys good with that you guys understand what's going on here so it's it's very important that again we have these tools they computers with all these packets we don't really think about it like that we think about it as I got my phone ah whatever okay but this is what's going on be under the hood so we got to know about this stuff okay so

we're only halfway there now now I started thinking all right well so we are able to take we can hit a mobile spot we can get this but what if there is no mobile spot okay and this worked great at beside ch bide Chicago didn't have a lot of mobile access um what you do is you add you know take a bad guy bad girl with their with their jailbroken a rooted device you take a Wi-Fi tethering app you take a little bit of social engineering and you get Wi-Fi faking let's talk about what this is okay so the act of configuring a smartphone as a Wi-Fi hotspot using socially engineered naming conventions like free internet with the sole purpose

of luring devices and individuals to join the network with the intent of capturing and exploiting personal confidential data so what I could do is and you guys may have seen that here and it didn't work good here and we'll talk why and if if if I was a real bad guy I wouldn't do this because I had to I had to give you guys something I controlled if you guys looked on your free on your on your Wi-Fi earlier you may have saw may have saw a BS free internet did anybody see that out there okay if you've seen that that was me okay now that worked great and what I do it's it's on the mor

morality side is I have a filter so anybody that knocks on the door and says let me in I don't let them in but I can see who knocked so it's the bobber going down but I'm never reeling in the fish so I don't take any packets I just want to see how many people are joining you guys with me no no no damage done here no ethics broken however if this is a bad guy they could easily say what allow and they got the web Shar going and that's crazy stuff okay now I we'll talk about why it didn't work so well here I'd love to say it's because I I opened up awareness at bside Chicago and

everybody's aware of it now and no one's doing it there's a different reason here and again we'll talk about see if you guys can figure it out at the end okay so once you got this point let's say running it right now and you guys are joined to and I'm stealing packets this is stroll trolling so the bad guys walking around and again I don't look like anybody else I don't have any wires off my back no antennas I'm just hanging around and letting you guys use my free internet oh and while you're using it I'm I'm stealing everything you give me by the way but it's you know that's the tradeoff right I mean if you think about

it just a little bit it's what Google and yaho and everybody else does Facebook you are the commodity think about it okay so um examples of stroll trolling let's say we go to Lions game okay and they might have a free internet connection well we'll change ours to what lions free Wi-Fi would you guys say well this must be the Lions you just look at your thing hey this might be it join it okay um another one you just say you're at a mall or any crowded area and again you want people around for this because if it's just me in a park it's just creepy it's not helping me at all okay um that that would be like

something like free internet okay uh name of mobile Wi-Fi Hotpot here now this is this is where he got tricky so I could have done GM free internet I can't do that the reason being if I would have done that people from GM inside here would have done what try to join and I'm not letting them in I would actually dosed them okay so I didn't do it I kept it to bides free internet because that was a deal so really what happened here in this environment was that if you guys all looked online there was an absolute ton of open connections right and there's one you know that's associated with this place called GM right so you

might have clicked on that one and that's the one you used all right now based on the stuff I told you what would I done different if was the bad guy I wouldn't have spoofed and did a stroll troll what would I have done I would have joined the GM I would have ARP spoof if necessary and that I would have captured packets that way you guys go with that so I don't need that environment but if there's no Wi-Fi and you guys are hungry to save your minutes and I turn it on I'm the Savior at least it looks like I am but really this is social engineering attack I'm stealing data okay and again that's how the bad

guy's going to do it all right so I hope this helps drive home the fact that untrusted Network are not safe networks are you guys good with that we're going to talk about some remediation here coming up okay so where do I feel this Falls now again on the corporate side it might be medium because you have to have physical proximity it's not all over the world okay but it's super easy to do and your mother your sister anybody with a smartphone is subject to this okay so in my opinion that the probability of be able to push the buttons to make it happens pretty high I think anybody in this room if I showed you a buttons

click you could make it happen the impact if they steal your say your active director credentials or any password credentials that's pretty high would you guys agree okay so you know I put it up here all right again you know every every type of security person would have their own Matrix they set up you should be familiar with this if you guys know any security or if you're in security you guys are familiar with this matrixing system right okay very simple um but that that's where we're sit now okay so let's talk about fixing this all right now how do we fix computers let's again let's think of these things as computers how do we fix computers from

having these issues they've had these issu isues for years what do we do to fix them I can't do that there's too many what else we got what was the other one upd and patching helps in terms of um our exploitation but it doesn't help in terms of hiding the data or making the data in another form encryption what kind of tools do we have out there that can help encrypt for laptops in fact if you guys any of you guys do any remoting to your work you're probably using one what did you have to use before you got onto that Network hopefully and if you didn't don't tell me okay you're using a VPN all right which means that

everything going through there is what encrypted okay but let's say that that's going to have a cost Association so let's just start off with the good and the free and see what happens all right first thing some of your devices will just Auto jooin any open network because you're trying to save money what should you do to that feature turn it off and if you're not using Wi-Fi and you don't have to use the Wi-Fi then just don't use it okay so long story short don't trust any external point out there if you don't own it and it's not encrypted for you don't use it or if you have to use it understand that this is

something that's probably public and go from there all right so you stop your device from autoc connecting to an open available hotspot um when you can for instance a lot of old school Google used to do HTTP um Twitter Facebook well I'll do HTTP if you logged in with that you would have those credentials out there now the good news is many of this problem's been happening for years on the computer side so they've made most of these what now okay so when you have a choice between picking one or the other and you're on a public Wi-Fi which one you pick okay so just be smart about it same thing you would do with your laptop okay

um but the problem is with this even on that site is encrypted you're still leaking DNS information Angry Birds is still phoning home and they're still seeing all to clear text so I was bring you

right and now think about it let's say you're running for an office and you just got some results back from the doctors that said yeah I don't know you had some type of you know your heart's enlarged you're you know health risk and you're running for president think it's out there that could be a problem these are extreme situations but you get the concept right data leakage when you don't want it leaked is a bad thing it's not a good thing okay so we see that some of it some of it will help like you said you got to be careful but in the long run this still isn't perfect this is just you didn't pay any money you're

trying to be smart about using public um Wi-Fi points okay what we need though is first let's talk about the paradigm shift all right think of these like when you guys go to library and surf you don't do your most intimate surfes searches on the library computer at least I hope you don't okay um because this is a public terminal these are being monitored it's all being recorded in fact in the background they're probably running wire shark on this stuff to make sure it's staying legit so anything you put on here is going to get picked up now the good news is the people that do this are usually good guys so if you happen to to leak your

data okay well then they will see it and they say all right that was a no no but don't do it but if their purpose is to steal it we got something new okay um so assume all actions are being watched and monitored when anytime you use open wi-fi you guys go with that pretty straightforward right okay um now this is kind of cool if you guys do have the unlimited data um and and this comes in handy for me when I'm anywhere in public I actually won't use my the public Wi-Fi I will turn my wi my phone into a pretty strong password WPA2 encrypted hotspot and I will be the only one using it and

then even if I'm running wre shark it's just on myself and no one else is in you guys with me on that but if you have restrictions on your minutes or on your data now we have a new issue because all now you're actually using more you guys cool with that so this isn't that great so here's the best okay um oh this is actually still in the middle or or this is I'm sorry this is the best um or I'm sorry the better low cost all right so if you guys go to say Verizon and you go to get like the 8 gig plan instead of the 4 Gig plan I think it's like 20

bucks anybody check out anybody know that that's the case like to up it it's it's it's pretty expensive yeah you go from like 10 bucks on your plan to like 50 it's like 40 bucks a month you do the math that's almost 500 bucks a year okay so here's a trick I do and this is great for both my laptop if I I don't have a tablet right now but if I had a tablet it would work on a tablet and on my phone I will purchase a and this is and I I've been I've been shopping around for a long time they usually run about 10 bucks a month usually about 100 bucks okay but again that's still way

better than 500 bucks the data plan but I found that ipvpn and I don't have any affiliation with them but they do it if you buy a year it's 37 bucks for the whole year three bucks a month okay I've been using them for about nine months now they're Rock Solid they do a great job they're a little slow because I'm going out to other locations but if I have to jump on a mobile Wi-Fi I will jump on tell my phone with an app called uh I have an app out there called um where's it at uh 5 VPN which is five clicks to get it running and I'll turn on VPN and now everything I do in that

wi spot Wi-Fi spot is in what form encrypted and when I do my wire shark now it'll come through and say this is all encrypted it went through a VPN connection we can't help you so if the bad guys sniffing and even if they're spoofing we're we're good right I mean to a high degree there are ways to crack VPN we know that right but it's going to be defense and depth layers right and we've added a layer here and that's cool about this is this works on so if you have your laptop on a high on a Wi-Fi spot it works there you got your tablet you got your phone it all will work

under the same account as long as you're you're just using one concurrent connection okay so don't hand it to all your relatives say use this because you may not be able to log in all right so so far so good you guys go with that all right so now let's talk about from a corporate standpoint all right so this is you guys as users your mothers your sisters your brothers your cousins tell them about this say you know hey go spend go use go do ipvpn spend you know 40 bucks a year and use this for all your devices if you got a connect to an open wi-fi if you got to save that data

you can save that data okay this way and again it has a little bit cost with it but that's pretty cheap three bucks a month you know I mean I'm not going to do the Sally Struthers cup of coffee but that's pretty close Okay especially at Starbucks you probably can't get it for that all right um so bring your own devices maware infections now this is a problem now this is a new feature that a lot of people say we want you to let our phones in on here I don't know why they're do it because it was a laptop they'd say no no no without all the proper things but they have that hard

time making that conception computer with computer with uh apps versus or a phone computer with phone capability versus phone with apps right so with that you can get infections in fact there's actually been uh I forget the name of it now but it is a Mac hack that um Waits until it sees a Windows machine and then it pounces so it's sitting on the device it could be sitting on the iPhone it's going let me add a Windows box let me add a Windows box and then jumps to it when it gets there okay so these devices can Harbor all these bad things also we said they're subject to our war walking our war dining all the

things that we talked about earlier okay remote access resources um you know you're using these out on the field you're you're going to a job to do an assessment okay again War walking War dining stroll trolling all a problem and the other problem is let's say you go to run to use the bathroom real quick and come back your laptop's gone your phone's gone if it was actively in a session they can get information you guys with me now again threat's a little small and I hope if you guys you go use the restroom it's much easier to put your phone in your pocket don't leave it on the table but stuff happens you know

um you know people leave their phone in Crazy places and things happen Okay we all know we've all lost devices and this is this the threat that we come with at okay um so again make sure that your it Department if they're going to bring in here bring these in they don't look at it as a phone they look at it as what it should be under the same policies as your laptops and your tablets you guys go with that okay um should be placed in the remote access domain if you guys know the seven domains of security this is effectively you're connecting external which makes it a laptop or tablet okay so we're good there now when

you can you want to use either SSL certificates corporate VPN to bring it into the network okay and that's good for a couple reasons that helps you um you can segregate the network you can bring this traffic into your network and then make sure it's subject to the corporate po proxy and things like that um I don't know if you guys know or not let's say that someone does bad things on a at A Company Computer on site who's responsible the employer as well as the employee they both are responsible but nonetheless it's kind of s it's kind of bad for the employer because they didn't know that guy that was going to or girl

was going to come and do that bad thing right but they still are reliable okay so if if we can bring that data back in and make it subject to things like acl's and group policy and proxies we can start filtering that out because we don't let them go to those malicious websites we don't let them go to those uh you know ungrated sites okay and this stuff will help us in terms of um keeping this stuff working well all right so what's the takeaway uh we have a computer in our pockets that can make phone calls instead of a phone with apps good with that right okay a public Wi-Fi points can be dangerous if one does not

understand what's at risk what's at stake right again anything that you guys don't own and there's other people join whether it's McDonald's or it's a or it's a Coney Island or it's Cedar Point that if you don't own it you can't be you can't ensure that someone's not taking over this traffic airplanes do it now too I don't know if you guys know you can join Wi-Fi and airplanes this is all subject to these attacks and this is really easy think about that you have your phone your board okay I everybody on this plane and all these CEOs that are sending their data oh they didn't use VPN Mah right just work on your evil laugh the whole

time all right ask everyone if if they if they've heard of these terms so when you're talking to people if you're talking to your mom your sister they have a smartphone go ahead and talk about this stuff say hey have you ever heard of stroll trolling huh what's that have you ever heard of War walking War dining huh what's that this gives you now you guys have a platform of definitions that will help push forward some conversation on this stuff so they understand the threats and again this is you know this is a new face to an old problem we've had this for years with tablets and laptops okay but people really don't see their phones as falling

in these categories all right and so I I had the bsides up and running uh the the bsfree internet and now when I did bide Chicago I only had to run like two hours I was able to get almost 50 people to join reason being is there wasn't a lot of access there so people wanted to join on what whatever was open and free so they jumped on mine here there's a ton okay so they I would EAS like I said if I was a bad guy I would spoof into their existing Network and then grab them that way okay so it didn't work as well here I would love to say it was because I've

educated the world in terms of these things and and they're not doing it anymore but I really don't think that was the case today but let's say you were um hit with this um you know what's the sensitive data on your machine have you checked that what precautions are you taking to safeguard it and do you have a VPN if you're using a wireless a wireless point and again these VPN will work on all your devices so you know search into that save you some money okay and then references and we're done so any questions for me you guys good everybody's good everybody knows the threats that they probably already knew about why about public access points yes sir I have a

question your risks you had you said that it wasn't really a worldwide it is but it's not that someone in China is logging in to get those package you have you're a large I agree with you that's why I put up in the high category okay anybody else you guys good okay so let me put that one up y oh where you at oh yes sir

right

scary I agree that's awesome but these phones are owned by Grandma by Mom by sisters and brothers that don't know it they're never going to Tunnel an SSH out through that phone right set thep easy well depends I mean for instance the VPN here is literally once you purchase the service it's an externally run now here's the deal with that it's not perfect because what's going to happen once you VP in tunnel it's G to come out on their side as clear text again but there's no one there to sniff it what no matter right now but if it's a corporate base they're going to have the VPN internal and it's going to explode out into their Network

which is different you guys cool with that you guys understand the difference there okay so I don't did answer your question no Al yeah and if and a lot of people a lot of people are skilled in this room if you guys want to use things like SSH or any type of encryption on it great go for it but the problem is like I said people go to the store they buy their Verizon phone and they go I got a new phone and they go to any mobile they go I want to save my data and they go on okay and again if they're logging on to certain accounts they're going to get you know especially if anybody has like

really old o AOL accounts or something and like I said Grandma and Mom they might have been around 10 years doing it they still don't use any encryption so these accounts will just be sucked in and all that data will be presented so what I what I tried to offer here was instead of giving these complex SSH was just simply go pay some money and go from there a good way to prevent AR spoofing um use use you don't use open connections that's pretty much it if you are and say you have a WPA and en WPA2 um enabled router at home with a 15 character password or more you're probably pretty safe they're not going

to ARP you because they got to join to ARP you if they're on the same network you're pretty much in trouble now there are some stuff you can do but it what what only thing you that I know that that can be done is is that you can it may be able to pick up because you are you are ARP spoofing if there's an error with it it maybe pick up in irregularities in terms of the data still very hard to pick up because it's a man ofthe middle attack it says you know Ellis and Bob if you guys are familiar with this right you put the man in the middle and then from the man in

the middle there's two niit cards Alis usually talks directly to Bob but now that Ellis is talking to the middle machine and it's setting up its nit card on the far side to look just like Bob and the one on the other side they look just like Alice so from Alice and Bob's perspective they're the same places you guys cool with that so the ARB spoofing is creating that type of connection so it's very difficult to C not all I'm not sure about the phones but not all devices are suscep to that's

true adate right right yeah and I have like I can misconfigured aou and

AD God bless Linux not St did not accept yeah so again there's a lot of problems here but again even if we and it and they ARP it are we good yeah we're good because again it's encrypted at this point so I don't think there's an easy solution for ARP but if we take a an ounce of prevention is worth a pound of cure here anybody else and then we have to wrap up good all right thank you guys I appreciate it